Vendor Due Diligence

Reduce Risk When Onboarding Vendors Through Due Diligence Assessments

Pivot Point Security provides vendor due diligence services to help organizations assess the security posture of their third-party vendors. Our team of experienced professionals will work together with your organization to develop a vendor review process (e.g., vendor due diligence questionnaires, audit program), and implement policies and procedures to create a robust and consistent vendor risk management program. With Pivot Point Security’s expertise in third party roisk management, you can be assured that your third party risk has been significantly reduced.

Why is Vendor Due Diligence Important?

Even more so with COVID-19, businesses of all shapes and sizes are increasingly reliant on third-party vendors to deliver business-critical services, including storing transferring and/or processing sensitive data. But outsourcing key business processes to vendors can introduce substantial risk, which many companies struggle to evaluate and manage.

As data breach reports overwhelmingly show, your information security posture may be only as strong as the security of your weakest vendor. Likewise, your ability to manage your vendor risk exposure is only as strong as your vendor due diligence program.

When vendor issues impact your business and brand, your organization ultimately bears the responsibility and the consequences—such as compliance penalties, recovery costs and reputational damage. This makes vendor due diligence a basic aspect of operational and financial responsibility to your stakeholders, and the backbone of your third-party risk management (TPRM) activities.

image 26 min

What is Vendor Due Diligence?

The US Federal Deposit Insurance Corporation (FDIC) defines vendor due diligence as: “a review of all available information about a potential third party, focusing on the entity’s financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls.”

The purpose of a vendor due diligence review is to give you the background you need to decide whether establishing or continuing a relationship with a vendor is worth the risk. You’d typically review a vendor during the selection process, and on a periodic basis (e.g., yearly or at contract renewal time) thereafter.

You might also need to review specific vendors anytime your risk profile changes significantly in relation to them (e.g., you make major changes to your IT environment, like supporting a remote workforce) or when their risk profile changes (e.g., they face legal action, disclose a data breach, announce layoffs, or are involved in a merger).

What is Vendor Due Diligence Questionnaire?

Given its importance to your operations, your vendor due diligence review process needs to be as in-depth and thorough as possible, especially for critical and/or high-risk vendors. Vendor due diligence questionnaires are one way to reduce the time and effort required to adequately assess vendor risk, versus more resource-intensive procedures like onsite audits.

Using high-quality vendor due diligence questionnaires can help accelerate your third-party risk management program by enabling you to quickly evaluate key risks without belaboring your staff (and your vendors’) with a barrage of unnecessary questions. Vendor due diligence questionnaires can be part of a software-as-a-service (SaaS) offering or can be as simple as an Excel spreadsheet.

You may initially want to create a “one size fits all” vendor due diligence questionnaire, or even use a premade template. But you will almost certainly get better results with less effort by customizing questionnaires or creating several different questionnaires based on vendor criticality, vendor risk level, vendor service category and/or your compliance needs.

Whatever its format, the goals of a vendor due diligence questionnaire can include reducing vendor due diligence cost and complexity, as well as standardizing how you compare and evaluate vendors. Vendor due diligence questionnaires can also help reduce procurement lead time and time-to-benefit for the vendor relationship.

What are some of the information types that vendor due diligence questionnaires typically collect? Here are a few simplistic examples:

Information security risk

  • Have you experienced any data security incidents in the past year?
  • Do your cybersecurity controls meet or exceed our own internal standards?
  • Can you demonstrate a strong security posture via a recent cybersecurity risk assessment or audit?

Business continuity

Compliance

  • What regulations, including new regulations, are you required to comply with?
  • Do you have a compliance program in place?
  • Are you currently subject to any regulatory action?

“Fourth-party” risk

  • Who are your critical third parties?
  • Have any changed in the past year, and why?
  • Are your third parties contractually mandated to meet your security guidelines?

Financial strength

  • Has your company been profitable over the past year?
  • Has your product/service market share remained stable or grown in the past year?
  • Have you made any major changes in your product/service delivery or technology in the past year?

Legal risk

  • Are you subject to any lawsuits or other legal actions currently or in the past year?
  • Have you been subject to a high number of customer complaints in the past year?

Why Conduct Vendor Due Diligence Assessments?

As de facto extensions of your business, vendors interrelate with your systems, data and employees. As such, they invariably expose you to significant financial, compliance and reputational risk that you need to assess and manage to ensure ongoing operations. In fact, a 2019 Ponemon Institute study found that 59% of companies experienced a data breach caused by a vendor within the past year.

Vendor due diligence assessments are your starting point for addressing vendor risk. But despite their criticality, many businesses don’t conduct adequate vendor assessments. For example, almost 25% of businesses don’t even know whether they have recently been impacted by a vendor’s data breach. Many also don’t have an accurate inventory of the vendors they share sensitive data with.

Vendor due diligence assessments are essential to reduce this “not knowing what you don’t know” level of unknown risk exposure. They can also empower your business in several related ways:

  • They greatly improve your overall business risk assessment capability
  • They enable you to comply with regulations that require vendor due diligence
  • They can help you evaluate vendors and potentially tip you off that a different vendor might be a better fit for your organization

What are the Benefits of a Vendor Due Diligence Program?

A vendor due diligence program is all about reducing business risk to an acceptable level. This primarily encompasses the interrelated financial and reputational risks posed by data breaches and post-breach remediation, exfiltration of intellectual property and noncompliance with regulations.

Another benefit of a robust, centralized vendor due diligence program is to ultimately reduce the labor expense and time needed to establish and maintain vendor relationships. Making the process more efficient and standardized eliminates ad hoc/manual tasks and duplication of effort. Even just having a unified vendor due diligence process that covers IT, legal and procurement requirements and information needs can be huge.

In addition, understanding a vendor’s risk profile—especially over time and/or relative to competing providers—can give your team leverage to create more favorable contractual agreements with that vendor. Knowing more about vendors’ business and cybersecurity practices upfront can also help you choose the best vendors in the first place. Both these outcomes will likely save you money and/or lead to better customer experiences and stronger vendor partnerships.

Finally, vendor due diligence programs are increasingly mandated by regulators and therefore help drive compliance. The EU’s General Data Protection Regulation (GDPR), for instance, requires “data controllers” (often the outsourcer) to have appropriate controls in place to protect sensitive data that third-party “data processors” are handling. The overall regulatory focus is unquestionably on driving down third-party risk, and thus many firms will have no choice but to implement a vendor due diligence program within the next few years.

Accelerated Vendor Due Diligence

Our proprietary Accelerated Vendor Due Diligence (AVDD) tool is a paradigm shift in the vendor risk management (VRM) industry. With AVDD, you don’t need to continue down the same problematic path to vendor due diligence.

Third-Party Risk Management Consulting

Most organizations need to know their information is safe with their third-parties, as well as prove they are secure to key stakeholders (like a customer). Our team designs and executes Third Party Risk Management (TPRM) and Vendor Risk Management (VRM) programs to help organizations understand and mitigate third-party risk.

Next Steps

Every business needs standardized, repeatable processes to eliminate barriers to growth and success. Vendor due diligence is one of the most high-priority processes you can put in place. Not only can it can save you money and protect you from unacceptable risks upfront, but also it can deliver a strong return on investment over time in terms of savings and security.

But knowing that vendor due diligence is critical doesn’t make it easy. With over 30 years of combined vendor risk management experience, Pivot Point Security offers a unique, affordable end-to-end program that can be ramped up quickly and integrates smoothly with your existing workflows. We can also help you strategize creating your own program or improving current processes.

Schedule time to brainstorm with a vendor risk management expert

What is the Vendor Due Diligence checklist?

A vendor due diligence checklist is an important way to reduce the time and effort required to assess vendor risk, versus more resource-intensive approaches like onsite audits. Vendor due diligence checklists can enable you to quickly evaluate key risks without overwhelming your staff or your vendors’.

These checklists frequently take the form of software-as-a-service (SaaS) software or Excel spreadsheets. Many are “one size fits all” but can be customized to yield better results based on vendor criticality, vendor risk level, compliance requirements, etc.

What is Vendor Due Diligence policy?

Vendor due diligence policies help you consistently and effectively validate that your data is safe with key partners. Your vendor due diligence policy should be as in-depth and thorough as possible, especially for critical and/or high-risk vendors. Your policy should help reduce procurement lead time, simplify vendor relationships and reduce vendor due diligence cost and complexity while standardizing how vendors are evaluated and compared.

Who can I trust when it comes to Vendor Due Diligence services?

When you choose to outsource vendor due diligence services, look for these features in a trusted partner:

  • A “team approach” that requires no additional staffing on your end
  • A “co-managed” program that can be up and running quickly and integrates smoothly with your existing processes
  • Significant third-party risk management (TPRM) experience, including expert staff who hold relevant certifications like Certification in Risk Management Assurance (CRMA) and Certified Third Party Risk Professional (CTPRP)
  • Staffing with full-time experts to ensure a level of service above “one-and-done” security contractors
  • A proven process based on risk tiering that enables you to accurately target and budget your outsourced program to maximize the cost/benefit ratio

What are the benefits of Vendor Due Diligence?

Improperly managed vendor risk accounts for more data breaches than any other source besides phishing. This makes understanding and mitigating vendor risk essential for business continuity. Running your company without knowing your risk exposure from vendors and other third parties puts you in the path of disaster. Vendor due diligence also offers you and your key stakeholders peace of mind, knowing you are operating in a secure environment and can demonstrate this on request.

What are some of the Vendor Due Diligence best practices?

Vendor due diligence should probe a wide range of data on a vendor’s business, including its financial condition, adherence to applicable regulations, market reputation, and the scope and effectiveness of its security controls. The data you get from a due diligence review should give you sufficient background to determine whether establishing or continuing a relationship with a vendor is worth the risk.

You should review a vendor prior to signing a contract with them, and then on a periodic basis thereafter, e.g., yearly or at contract renewal time. You might also need to review certain vendors if your risk profile changes significantly in relationship to them (e.g., you make major changes to your IT environment, such as supporting remote work) or when their risk profile changes (e.g., they disclose a data breach, announce layoffs, are involved in a merger, or face legal action).

Other vendor due diligence best practices include:

  • Prioritizing vendors based on the level of risk they present, especially the sensitivity of the data shared with them
  • Automating the vendor due diligence questionnaire process with software to streamline operations, enforce consistency, and ensure comprehensive visibility into vendor risk